Next Page >>
race conditions
Security Advisory
===============/========================================================
Advisory ID: CAU-2008-0001
Release Date: 04/01/2008
Title: Slowly Closing Door Race Condition
Application/OS: Physical Structures
Topic: Physical structures employing exit doors with locks
are vulnerable to a race condition.
Vendor Status: Not Notified
Attributes: Physical, Race Condition
=============================================================================
FreeBSD-SA-09:14.devfs Security Advisory
The FreeBSD Project
Topic: Devfs / VFS NULL pointer race condition
Category: core
Module: kern
Announced: 2009-10-02
Credits: Przemyslaw Frasunek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FreeBSD <= 6.1 suffers from classical check/use race condition on SMP
systems in kevent() syscall, leading to kernel mode NULL pointer
dereference. It can be triggered by spawning two threads:
1st thread looping on open() and close() syscalls, and the 2nd thread
looping on kevent(), trying to add possibly invalid filedescriptor.
The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
* Affected versions: 0.92
* Overwiew:
1) ClamAV uses own functions to create temporary files. One such routine is
vulnerable to a race condition attack.
2) ClamAV fails to properly check for base64-UUEncoded files, allowing
bypassing of the scanner through the use of such files.
3) The sigtool utility included in the ClamAV distribution fails to handle
=============================================================================
FreeBSD-SA-09:13.pipe Security Advisory
The FreeBSD Project
Topic: kqueue pipe race conditions
Category: core
Module: kern
Announced: 2009-10-02
Credits: Przemyslaw Frasunek
Affects: FreeBSD 6.x
http://www.debian.org/security/ Thijs Kinkhorst
April 17, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : kdm (kdebase)
Vulnerability : race condition
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2010-0436
Sebastian Krahmer discovered that a race condition in the KDE Desktop
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A race condition might lead to theft of user credentials or information
disclosure in services using nss_ldap.
Background
==========
Multiple integer underflows in the x25_parse_facilities function in
allow remote attackers to cause a denial of service (system crash)
via malformed X.25 (1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3)
X25_FAC_CLASS_C, or (4) X25_FAC_CLASS_D facility data. (CVE-2010-4164)
Race condition in the do_setlk function allows local users to cause a
denial of service (crash) via vectors resulting in an interrupted RPC
call that leads to a stray FL_POSIX lock, related to improper handling
of a race between fcntl and close in the EINTR case. (CVE-2009-4307)
Multiple integer overflows in fs/bio.c allow local users to cause
IBM DB2 Universal Database Multiple Race Condition Vulnerabilities
iDefense Security Advisory 08.16.07
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 16, 2007
I. BACKGROUND
IBM Corp.'s DB2 Universal Database product is a large database server
product commonly used for high end databases. For more information,
------------------------------------------------------------------------
PulseAudio local race condition privilege escalation vulnerability
------------------------------------------------------------------------
Yorick Koster, June 2009
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The PulseAudio binary is affected by a local race condition. If the
For its implementation of the standard UNIX cron daemon, FreeBSD uses a version
based off vixie-cron. This package is installed by default, and includes a
setuid-root crontab binary to allow unprivileged users to list and modify their
own cronjobs.
I recently audited this code [1], and found a few interesting race conditions
and symlink attacks that allow for very minor information leakage. I thought
I'd share my findings because I enjoyed exploiting these issues and they don't
pose any significant risk to live systems - in other words, this advisory is
intended for system administrators and developers of FreeBSD-based systems;
journalists, end users and other non-technical readers do not need to be
functionality in the Linux kernel before 2.6.25.9 allows local users
to cause a denial of service (resource consumption and system outage)
via vectors involving a large addr_num field in an sctp_getaddrs_old
data structure. (CVE-2008-2826)
Race condition in the directory notification subsystem (dnotify)
in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1,
allows local users to cause a denial of service (OOPS) and possibly
gain privileges via unspecified vectors. (CVE-2008-1375)
The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Race conditions when editing files could lead to symlink attacks or
changes of ownerships of important files.
Background
==========
http://www.debian.org/security/ Moritz Muehlenhoff
March 25, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : systemtap
Vulnerability : race condition
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-0784
Erik Sjoelund discovered that a race condition in the stap tool shipped
traversal vulnerability in chrome: URI handling could lead to
information disclosure.
CVE-2008-0419
David Bloom discovered a race condition in the image handling of
designMode elements, which can lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
traversal vulnerability in chrome: URI handling could lead to
information disclosure.
CVE-2008-0419
David Bloom discovered a race condition in the image handling of
designMode elements, which can lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
After a standard system update you need to reboot your computer to make
all the necessary changes.
Details follow:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
cause a denial of service by way of a NULL pointer dereference by
sending datagrams through AF_TIPC before entering network mode.
CVE-2010-1437
Toshiyuki Okajima reported a race condition in the keyring subsystem.
Local users can cause memory corruption via keyctl commands that
access a keyring in the process of being deleted, resulting in a
denial of service.
CVE-2010-1446
It was discovered that PowerPC kernels did not correctly handle reporting
certain system details. By requesting a specific set of information,
a local attacker could cause a system crash resulting in a denial
of service. (CVE-2007-6694)
A race condition was discovered between dnotify fcntl() and close() in
the kernel. If a local attacker performed malicious dnotify requests,
they could cause memory consumption leading to a denial of service,
or possibly send arbitrary signals to any process. (CVE-2008-1375)
On SMP systems, a race condition existed in fcntl(). Local attackers
indeed lead to a
change in access control semantics. Under POSIX, the file IS unwriteable,
because it is protected by the permissions on the parent directory.
(2) While it's irrelevant for his argument, the script by Pavel Machek has a
race condition. The 'chmod 700 /tmp/my_priv' should be done before the
file is created, not
afterwards. Otherwise there is a window where the file exists, but hardlink
creation is not prevented by the directory permissions.
Isara
FreeBSD 6.4 and below are vulnerable to race condition between pipeclose() and
knlist_cleardel() resulting in NULL pointer dereference. The following code
exploits vulnerability to run code in kernel mode, giving root shell and
escaping from jail.
http://www.frasunek.com/pipe.txt
The bug was fixed a week ago and official security advisory was issued:
http://security.freebsd.org/advisories/FreeBSD-SA-09:13.pipe.asc
> - guest can access the house (write the file), because the house has all
> doors unlocked
Pavel required that the superuser have lax directory permisisons and
subsequently make them more restrictive, which led to a flurry of
responses about hardlinks, race conditions, etc. My example merely
removed this aspect to demonstrate that it is not a race. In mine,
the directory permissions are 0700 from the start and there are no
races involved.
-jim
ZDI-09-087: Microsoft Internet Explorer CSS Race Condition Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-087
December 8, 2009
-- CVE ID:
CVE-2009-3673
-- Affected Vendors:
Microsoft
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
unplug the affected device. (CVE-2007-5093)
A race condition in the directory notification subsystem (dnotify)
in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1,
allows local users to cause a denial of service (OOPS) and possibly
gain privileges via unspecified vectors. (CVE-2008-1375)
The Linux kernel before 2.6.25.2 does not apply a certain protection
> it becomes an 0day, and if he sells it to a vulnerability marketing
> company, then it is something else.
>
> I don't like this chain of logic. Whether a new vulnerability is an 0day
> or not depends entirely too much on the disclosure process, with funky
> race conditions in there.
>
> Rather, I just treat "0day" as a synonym for "new vulnerability" and
> don't give a hoot about the alleged intentions of whoever discovered it.
> What makes it an "0" day is that whoever is announcing it is first to
> announce it in public. You could only invalidate the 0day claim by
necessary changes.
Details follow:
Ronald Volgers discovered that the mount.cifs utility, when installed as a
setuid program, suffered from a race condition when verifying user
permissions. A local attacker could trick samba into mounting over
arbitrary locations, leading to a root privilege escalation.
Updated packages for Ubuntu 6.06 LTS:
man-in-the-middle attack, when using a proxy due to insufficient checks
on a certain proxy response. (MFSA 2009-27)
CVE-2009-1837
Jakob Balle and Carsten Eiram reported a race condition in the
NPObjWrapper_NewResolve function that can be used to execute arbitrary
code. (MFSA 2009-28)
CVE-2009-1838
Problem Description:
A vulnerability has been found and corrected in kdm
(kdebase/kdebase4-workspace):
KDM contains a race condition that allows local attackers to make
arbitrary files on the system world-writeable. This can happen
while KDM tries to create its control socket during user login. This
vulnerability has been discovered by Sebastian Krahmer from the SUSE
Security Team (CVE-2010-0436).
The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3,
and release branches branch-1-4 through branch-1-9, when producing a
distribution tarball for a package that uses Automake, assign insecure
permissions (777) to directories in the build tree, which introduces
a race condition that allows local users to modify the contents of
package files, introduce Trojan horse programs, or conduct other
attacks before the build is complete (CVE-2009-4029).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
Derek Soeder has previously reported some legendary NT bugs, including multiple
vdm bugs that, while unrelated to this issue, make fascinating reading.
- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege Escalation
- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege Escalation
- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition Privilege Escalation
-------------------
Appendix
-----------------------
Next Page>>
|
